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What We Accomplished 


• A formal statement of Interactive Consistency Conditions 1 in the 
Boyer-Moore logic. 

• A formal statement of the Oral Messages algorithm OM in the Boyer- 
Moore logic. 

• A mechanically checked proof that OM satisfies the Interactive 
Consistency conditions. 

• A mechanically checked proof of the optimality result: no algorithm 
can tolerate fewer faults than OM yet still achieve Interactive 
Consistency. 

• The use of OM in a functional specification for a fault-tolerant device. 

• A formal description of the design of the device. 

• A mechanically checked proof that the device design satisfies the 
specification. 

• An implementation of the design in programmable logic arrays. 


*See "The Byzantine Generals Problem", Lamport, Shostak and Pease, ACM Toplas Vol 4 
No 3, July 1982. 
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A Stack of Related Machines 
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The Specification 


The specification is a function that describes a finite state machine. 


At every step, each of N processes 

1. reads its sensor input, 

2. exchanges its sensor value with all other processes, 

3. produces an interactive consistency vector (ICV) that contains what it 
concludes is each other process’s value, and 

4. applies a filter function to the ICV to produce an output. 
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Properties of the Specification Function 


The exchange of sensor values is accomplished by an algorithm called OM. 


OM achieves interactive consistency. That is. 


A process sends a message to n-l destination processes. 

1. All non-faulty destination processes agree on the same received 
value. 

2. If the sending process is non-faulty, then every non-faulty destination 
process receives the message sent. 


OM has been defined as a function in the Boyer-Moore logic, and a proof that 
interactive consistency is achieved has been mechanically checked. 
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Formal Statement of Correctness of OM 


• n be the number of processes, 

• L be the set {0, n- 1 } , 

• g, i,j e L be process names, 

• x be g’s local value, and 

• m give the number of rounds of information exchange. 


The interactive consistency conditions are stated as follows. 

-,faulty(i) 

& —i faulty(j) 

&3faults(L ) < n 
&faults(L) < m 

— ) 

OM(n, g, x, m)IH = OM(n, g, x, m)fjl. 


-ifaulty(g) 

&—>faulty(i) 

&3 faults(L ) < n 
&faults(L) < m 


OM(n, g,x, m)[i]=x 



Specification Abstraction 


The following aspects of the specification ate not constrained 

1 . The number of processes. 

2. The types of the input and output values. 


3. The nature of the filter function. 


What Interactive Consistency Guarantees 


The specification can be thought of as a function which 

• receives a sequence of N-tuples of input values, and 

• produces a sequence of ^/-tuples of output values. 



Because of Interactive Consistency, we can conclude. 

At each step, all non-faulty processes agree on their output iff the total number ot 
processors exceeds three times the number of faulty processors. 
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A Process Internal State 


data_in 
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Process Steps 


0: data outli] 4— sense, i€ {0,1,2} 

icv [ 3 ] <— sense 

clock <- clock+1 

1 : m [ 0 , i ] <— input [il, /e (0,1,2} 

data_out[0] <- input [ 1 J 

data_out [ 1 ] <- input [0] 

data_out [ 2 ] 4— input [0] 

clock <- clock+1 

2: m [ 1 , i ] 4- input [i], /e {0,1,2} 

data_out [ 0 ] 4— m[0,2] 
data_out[l] 4- m[0,2] 
data__out[2] <— m[0,l] 
clock e- clock+1 

3: m [ 2 , i ] 4- input [i], /e {0,1,2} 

clock <— clock+1 

/\ : j o v l 0 ] <— ma jo r i t y ( in | ( > , 0 ) , m | 1 , 2 ] , rn [ 2 , 1 ] ) 

i cv f 1 ] 4- mo jo r i t y (m [ 0 , 1 I , m 1 1 , 0 J , rn [ 2 , 2 ] ) 

i c v [ 2 ) 4 - ma jor i t y ( m 1 0 , 2 ] , m [ 1 , 1 ] , m [ 2 , 0 ] ) 

clock 4— clock+1 

5: Actuator 4- filter (icv) 

clock 4— clock+1 

6: clock 4- clock+1 

7: clock 4— clock+1 
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Summary of Device Design 


1 . Four identical devices. 

2. Only internal and external data flow specified, data width not. 

3. Filter function constrained to tolerate ICV rotations. 




Device Implementation 

by Larry Smith 
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